I read document about http://docs2x.smartfoxserver.com/AdvancedTopics/privilege-manager. I register an account "demo" with profile GUEST which is set dined request "JoinRoom". When I login with the account and set: session.setProperty("$permission", DefaultPermissionProfile.GUEST);, "demo" account cannotjoin room (as I expected) but the server don't throw any event for that. How to receive the event in this case? For example: the account "demo" don't have permission to join any room.Anyone help me?

Hi,I am not sure if you're talking about a server or client event. Which one is it?Server side events are generated only when a certain action can be completed. On the client side there is no event generated because it doesn't make sense to reply (and use bandwidth) for an action that is not allowed.

If you have planned that guest Users cannot join Rooms you should recognize Guest users from client side (the User object tells you the permission profile) and inhibit the interface buttons that cannot be used by that class of users.

I have one question for you. You said: "you should recognize Guest users from client side (the User object tells you the permission profile) and inhibit the interface buttons that cannot be used by that class of users". I don't think that it's good solution. Because at Privilege Manager in Zone configure, the profile name GUEST was set some dined request(for example is Join Room). Its mean that the account with profile GUST cannot join room. But when implementing client, you want to check if the account is NOT GUEST, will join room.In the case, the profile name GUEST don't set "BanUser" and I will check in client code, if the account is GUEST, it cannot ban user. So setting band user for the profile GUEST is meaningless. .

More detail, in some case, the account with profile GUEST don't have permission join room but I still want to show button Join room. How to resolve the case?

Regards,Thong

Last edited by hoanghuybao on 03 Sep 2015, 11:31, edited 2 times in total.

Thanks for the clarification.The client check is done only for the purpose of showing the correct controls to the User.

I would expect that, as a GUEST, I am not shown parts of the interface that I cannot use. Right?What is the point of showing me a "JOIN" button if I have no rights to join any Room? It would annoying.

So... detecting the User's privilege ID on the client side has only one purpose: to provide the user with the right controls.

Setting the profile from the Server side is necessary because malicious Users can easily work around your client check and attempt to perform unauthorized operations, if the server is not really checking.

In other words I could hack the client and successfully join any Room, even though my client is a GUEST and should not be able to do it.

Makes sense?

One more thing: the type of code you have posted is not what I would suggest to do. Checking if the client is GUEST before joining is indeed useless because the server will also check that for you.

Instead the User profile should simply inform the client application about what controls can be active / inactive for different types of Users.